Researchers have uncovered a new threat to Android devices, the Pixnapping attack, which allows attackers to read sensitive data from the screen, including two-factor authentication (2FA) codes, private chats, and even geolocation history. All it takes is for the user to install a malicious app that doesn't require any system permissions, Ars Technica reports.
Pixnapping works by using a side channel similar to the well-known GPU.zip vulnerability, which analyzes how much time the GPU spends rendering individual pixels on the screen. This allows a malicious application to gradually "recreate" an image displayed by another application, effectively taking a screenshot without the user's permission.
The researchers demonstrated the exploit on Google Pixel and Galaxy S25 smartphones. Specifically, in experiments, they were able to recover 6-digit Google Authenticator codes 73% of the time on Pixel 6, 53% on Pixel 7, 29% on Pixel 8, and 53% on Pixel 9. The average time to retrieve the code was between 14 and 26 seconds, which is less than the standard 30-second validity interval for one-time passwords.
"Anything that is visible when the target app is opened can be stolen by the malicious app using Pixnapping: chat messages, 2FA codes, email messages, etc.," the researchers said in a report.
Google released a partial fix in its September security bulletin (CVE-2025-48561) and plans an additional patch in December. The company said there is no evidence of the attack being used in real-world settings, but researchers reported that modified versions of Pixnapping could still work after the update.
Experts emphasize that despite the complexity and technical demands of the attack, it demonstrates weaknesses in Android's security system, in particular the assumption that one application cannot access another's data.
Experts advise users to download applications only from the official Google Play store, install security updates in a timely manner, and be careful with suspicious programs.